30

Suppose we send out email verification to new subscribers that where they have to click on a link to verify their account.

Suppose they forget to verify it, and later try to login.

Should the error message say "Your user name or password is incorrect?", instead of letting them know that they have forgotten to verify the account.

I assume this is the most secure way of handling it, because if we tell them that they have to verify the account, we are letting them know that an account with that userid exists ...

Thoughts?

Perhaps the best way to handle it is to allow them to access the account, but don't let them do anything in it until they are verified?

Ole
  • 529
  • 5
  • 10
  • 7
    You have their email. You could email them again. – Nic Jul 18 '19 at 16:21
  • 2
    Because 2 emails in the sea of 1000 unread emails/spam folder is going to get the message across. – Aron Jul 19 '19 at 07:36
  • 5
    @Aron I don't think it's valid to assume that the average person's inbox is so swamped that email stops being an effective way to communicate with them, especially if they're prompted to follow a verification link (or request one). Email serves a purpose and mismanagement of an inbox is user error. – 0xdd Jul 19 '19 at 13:46
  • @0xdd What about the Spam box. Email is not reliable. – Aron Jul 19 '19 at 14:43
  • For spam, you can either take measures on your end to prevent clients from detecting you as spam (clear, well-worded emails help, as do SPF and DKIM on your domain), or you can ask the user to check their spam folder. Loads of services already do this. Email is _massively_ reliable. – 0xdd Jul 19 '19 at 15:19
  • 16
    Just allow them to log in and present them with an unskippable screen which reads "Please verify your account by clicking the link in the email we sent on XYZ date. If you do not have this email then click here to re-send it." – MonkeyZeus Jul 19 '19 at 15:55
  • Amazon Cognito does not allow unverified accounts to login ... thoughts? – Ole Jul 29 '19 at 01:42
  • I think we can just send an email when an unverified account tries to sign in and notify the user that they should check their email, but we will not tell them whether their account exists or not. If it does the email will contain the confirmation link. – Ole Jul 29 '19 at 12:44
  • Email is pretty reliable if you don't spam your users or configure your DKIM, SPF and MARC records correctly. – haylem Jul 18 '22 at 12:39
  • @Ole because that would be bad in many ways. You could churn fake accounts easily, and you could mishandle's someone real inbox to pretend they signed up for a service that could be damageable to their personal image without them knowing about it (e.g. register a known personality, political or otherwise, and set up an account for them and use that with malevolent intents and share it with the media or competitors) – haylem Jul 18 '22 at 12:41
  • @Ole That being said, you can auto-verify in Amazon Cognito, if I recall correctly. It's just a flag that you can auto-flick yourself to TRUE. May not be the case anymore, but I remember it. While the feature is present, you can programmatically work around it (in effect, calling the same API that would handle the email verification automatically) – haylem Jul 18 '22 at 12:43

6 Answers6

80

What I see most commonly is allowing the authentication and signing the user in, but locking meaningful features away until the email is verified. You should bubble up an error reminding the user to re-send an activation email if they try to access one of the restricted features.

It is poor design to ever lie to a user - if they submit the correct username and password, you should never show an error claiming that either is incorrect.

Buffalo5ix
  • 2,636
  • 12
  • 18
  • 10
    I would put a full page nagging screen telling him to activate the account first and a button to confirm and re-send the activation email. – ThoriumBR Jul 18 '19 at 16:40
  • 9
    However you might find it reasonable to delete accounts that were not activated in a longer while and then the "Username is incorrect" error is correct. – Tomáš Zato - Reinstate Monica Jul 19 '19 at 13:56
  • 5
    @ThoriumBR It depends what the service being offered is. I've seen/signed-up-to a number of services where it makes perfect sense to allow a certain level of use, prior to confirming/authenticating an email address. In such cases, a full-page nag screen may be OTT. – TripeHound Jul 19 '19 at 14:59
8

I agree with Buffalo5ix, but email verification should not be considered a part of account security. Email verification:

  • proves the ownership of the address, just to know that the user has entered correct address for you to send spam password recovery emails.
  • serves as a very light deterrent for registering multiple fake accounts. It's pretty easy to automate the creation of email addresses (by using tempmail/hosting your own email server) and automatically click the validation links, so CAPTCHA would be a better system to protect against automated registration of fake accounts.

I can't see any security-related reason why you should lock the unverified accounts in any way. [CLARIFICATION: I’m not arguing that you should send messages to unverified email accounts, that would be at least spammy and at worst give random person the ability to reset account password if the user mistyped their email. I’m saying that account login shouldn’t be disabled, sending email to unverified address obviously should be.]

I prefer the small banner on top of the screen reminding me to verify account and prompting to re-send the verification email. Treating user like a suspected criminal or nagging them right after they've registered just isn't polite, make them welcome.

Andrew Morozko
  • 1,759
  • 7
  • 10
  • 3
    There may be valid reasons to lock the unverified account if verification helps prevent the abuse of resources. For example, if the application sends emails, permitting use without an account opens the service up to be a relay to send spam: I can register an account under your email address and then use the service to send you unwanted emails. Preventing that abuse is, broadly speaking, security-related. If email is ancillary to the main purpose of the service, there may be less draconian ways of achieving this, such as permitting the use of the account but locking just the email features. – Zach Lipton Jul 19 '19 at 01:21
  • @ZachLipton I agree, but I’m talking specifically about *account* security. Of course email address verification is necessary before sending emails there, but I see no reason to tie the ability to log in with ability to send email. Unless you’re email provider;) – Andrew Morozko Jul 19 '19 at 02:18
  • 1
    Email verification also helps prevent someone else signing up with your email and you ending up with all the spam. – Qwertie Jul 19 '19 at 06:50
  • 1
    @Qwertie Yes, I know that. Have you seen my first bullet point? – Andrew Morozko Jul 19 '19 at 07:51
  • `I can't see any security-related reason why you should lock the unverified accounts in any way. ` If you don't do it, then I can create hundreds of accounts for fake email addresses. While of course I could still create real email addresses if you required me to validate each account via email; removing the validation makes it a whole lot easier to just create bogus accounts without any repercussions. I would effectively be able to be unbannable on discussion sites as I can constantly pop up with a new account without needing a new (real) email address. – Flater Jul 19 '19 at 09:47
  • @Flater I can create hundreds of accounts with real, verified email addresses. Hosting your own email server takes like 30 minutes of your time and a $5 VPS. Captcha would make this task much more tiering, rate-limiting by IP would make this much more expensive. – Andrew Morozko Jul 19 '19 at 09:55
  • @AndrewMorozko: It takes 30 minutes of _your_ time. It would take me considerably more. I'm not claiming it's impossible to create real accounts; I'm saying the lack of verification significantly lowers the threshold making it possible for people who lack that skill to still spam accounts to their heart's content. – Flater Jul 19 '19 at 10:07
  • @Flater Docker is pretty easy and there are ready-made email stacks. And even if there are unskilled people creating multiple fake accounts, why should I care? An account is just a row in a database. If I’m making a messenger or a forum then I would require phone number verification, or use a karma system a-la StackOverflow if I want to preserve user privacy and limit spam. If I’m providing a service - then I should benefit from users using it. If I’m not, then it’s ether a bad service or I should set stricter limits. Using email for identity verification is like using rot13 for encryption IMO – Andrew Morozko Jul 19 '19 at 10:48
  • 2
    @Flater but still, returning to my original point: making a new account shouldn’t impact the **security** of your application in general or other accounts, regardless of the email verification status. – Andrew Morozko Jul 19 '19 at 10:57
  • @AndrewMorozko: The question was never about doing verification for security purposes, but rather how to do verification securely (i.e. without infringing on the site's security). OP's main concern is that listing a message that reveals verification is pending will inherently reveal that this email address has an account on the site. – Flater Jul 19 '19 at 11:00
  • @Flater I may have misunderstood the question, but "Suppose they forget to verify it, and later try to login" and "Perhaps the best way to handle it is to allow them to access the account" make me think that we're talking about a situation where unverified user already entered correct login/password, and OP is asking if account being verified should be a requirement a) for the successful authentication (i.e. part of account security) or b) for access to features of the service (i.e. identity verification for abuse prevention). – Andrew Morozko Jul 19 '19 at 11:20
  • @AndrewMorozko: The fact that verification is required is a given (as per the first paragraph). _How_ a user is (repeatedly) asked for verification (and doing so without compromising security) is the actual question. Frame challenges (which your answer attempts to be) are valid answers in general, but you can't really frame challenge this question without knowing the reasons for requiring the verification in the first place. – Flater Jul 19 '19 at 11:24
  • @Flater And I'm not arguing for OP to disable email verification altogether. I'm just saying that it "should not be considered a part of account security", (so it shouldn't play a role in authentication process, and displaying "Your user name or password is incorrect" when username and password were correct infringes on that principle), and pointing out that it has some weaknesses for the identity verification/abuse prevention purposes. – Andrew Morozko Jul 19 '19 at 11:39
  • I second the "Please have a Captcha for sign-up." Take a look [at this](https://webmasters.stackexchange.com/a/115694/89735) for what can happen if you don't. – Michael Jul 19 '19 at 13:31
7

You don't want to leak the information that the username exists in response to an unauthenticated login attempt. That would allow attackers to determine which of the email addresses on their list exist with your service.

But if the user logs in with the password that they supplied upon registration, that's not the situation you're in. You know (as much as you ever do with passwords) that the person logging in is the same person who registered that password. So there is no harm in telling them that their username exists; they know that, since they registered it!

What you don't know is that this individual actually does control the email address you have for them. That's actually unrelated to verifying the identity of the person logging in with a password. You might want to use it as an alternative means of proving their identity (so they can recover from losing their password). Not having verified their email means you can't safely do that (since you don't know that the person who registered controls that email address), so their control of their own account is not safely established. But it doesn't mean you have any more reason than normal to doubt that the password proved who they were, and treat them as an unauthenticated user.

If you decide it's important not to allow users to log in and use your service without verifying their email, then once you've established the identity of the person you're communicating with you should simply tell them that's what the problem is and let them address it.

Ben
  • 170
  • 3
  • First paragraph only applies if there's no public way to register to the service, or if multiple accounts can use the same email. – FINDarkside Jul 19 '19 at 23:45
1

I'd like to point something out that is perhaps being overlooked

Should the error message say "Your user name or password is incorrect?", instead of letting them know that they have forgotten to verify the account.

I assume this is the most secure way of handling it, because if we tell them that they have to verify the account, we are letting them know that an account with that userid exists ...

If they have to enter their authentication information, then you can still let them know that they need to verify their account to gain access to it... so long as you only send that message if the authentication is correct. You're not leaking any information this way, because they would have to enter a valid password to get to that message about a given account, at which point they'd otherwise be inside the account anyway.

If you genuinely feel like an unverified account should actually be locked until verified, this is a perfectly fine way to handle it (also give an option to resend the verification email for this screen, as things get lost in spam/etc).

taswyn
  • 238
  • 1
  • 6
0

Keep in mind that someone may have registered with an email address not belonging to them. Knowing that, if email is required, you should either:

  • Auto-delete accounts that are not verified after X days. Or, better, never create full accounts in the first place and instead put them on a pending list until verification is complete (and allow multiple entries of the same address to this list). You should note this auto-deletion in the email text and also on the signup page.

  • Or, if you don't auto-delete accounts, you should provide some way for the legitimate email owner to later create an account of their own (at which point you should again invalidate/delete the earlier account).

Of course, you should not allow any access whatsoever until the email is verified. And you should never send further emails (including marketing, etc.) to the address until it is verified.

If email is optional to the service, be explicit about that and don't make email a required field at all. In that case, if someone enters an email but never verifies it, you can proceed without email-related functionality - but, again, make sure the same email address can be later reused by the legitimate owner.

I can't stress enough how incredibly frustrating it can be when someone else registers an account with your email address, preventing you from registering your own account on the service because that email address is unique in the database and has been "claimed" by the other account. Even if the email owner can easily reset the account's password, that does not help the fact that the account has been personalised by someone else. Don't put users in that position.

Bob
  • 1,188
  • 10
  • 14
0

Assuming that you have a sign-up form that doesn't allow duplicate usernames, it's trivial to check if the username exists.

Solomon Ucko
  • 117
  • 1
  • 5